Fine grained row level access to Dynamodb via Cognito Authorizer


Im able to only allow logged in users to access my Api gateway endpoint via Cognito Authorizer. The next step is to allow users to only access their data in Dynamodb. For that Im taking the role ARN (which is defined in my user group) from the lambda request event, and assuming that role before querying Dynamodb. Here's my DynamoDB policy. If I hardcode the cognito user pool sub, which matches the portion key on the table, it works, which means my policy is correct. I just can't figure out how to dynamically get the user pool sub in the policy.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:LeadingKeys": [
                        <NOT SURE WHAT TO ADD HERE>
2 Answers
  • Thanks for your reply. "${}" doesn't work unless you are using the indentity pool id as the partition key. In my case Im suing the user pool sub as partition key.


OK. I am not aware of how to accomplish this without using Cognito Identity Pools. This blog explains how you can use Cognito Identity Pools with Cognito User Pools to achieve fine-grained authorization -

profile picture
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions